From owner-freebsd-arch@freebsd.org Tue May 7 20:36:17 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 888A515933AD for ; Tue, 7 May 2019 20:36:17 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC0A73A1A for ; Tue, 7 May 2019 20:36:16 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mailman.ysv.freebsd.org (Postfix) id 3B18E15933AC; Tue, 7 May 2019 20:36:16 +0000 (UTC) Delivered-To: arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18C0815933AB for ; Tue, 7 May 2019 20:36:16 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B106773A18 for ; Tue, 7 May 2019 20:36:15 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qk1-x734.google.com with SMTP id w25so1972415qkj.11 for ; Tue, 07 May 2019 13:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0hxbxjFJ/OMRUh8GS6ebr3GtWFbghOGGN8qjLdY3y9M=; b=f0hUXlEeddISgCjBBkV2AgQG62T64a2YjfNS0sP/6UXEghKPDGJ6UdJgrfzEofu3Q8 P7mSP761QqgwRJq76ZUttw6B/LGE4GkKKExomND7C89oGtljkMycv9h/qcQYbeUlddky bvf58MWmEn1yxl/FEC2I/7Ow28t7vZ8zdud7d7i3u1T/KmtthkDQqV/quJTLlIRiopyQ IO2P+U8gxGYaH7lvRt8GteiNU/B83YsiUzu+ko5NA66daz6u5/kkiB3rKYztDGYw32cD gHiGTIdN9dLL/8FdP+VRCW1Ts27XEySqbkrhTBeFFXmVKxORuGSF13VOV76kRT902k3A Kc/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0hxbxjFJ/OMRUh8GS6ebr3GtWFbghOGGN8qjLdY3y9M=; b=A0CKBzQRqWROS5H69gK6ydxVU/XywWG2CYnADAPyQyAFVz7nLV7sk/zqzGHFVcIoVh TAx2d9Zj1UWIoIlpQWO+BbLfdrcgpqVxZ6I4SqX2aZUFgXMcirLbVx+OZOIgfnGieD6w 2xM15ygVWkk1v7gAfHhCThKheToHCZMiNNbbXYEDgQoiXyrNskeLUqZARC/VXfvoJB1o pisNSA7Q2owRoNAI8NeDIHD2DXXoihCtFtJo0Jn5tGwM/hqIBGr05MLJ1B4hdLnNJLez r0ppQF5KEX5V8gcsORsLKt2ItXBNiIGQ41bs4zOoyixuWmisGnYvc2ZBAHqSAN+jGA0f f+Mw== X-Gm-Message-State: APjAAAVlLjIpvTRftItu8lmosO41cxt3/gvQz2fVbxcNR8gBPCTgdb0f QCMDasaIMD5TPIYsywLulAnaKNkoz66Jwxv97m9jEQ== X-Google-Smtp-Source: APXvYqzQwCfQ9s1QlCqK23mcBE7J9ovuPZBdsDrTeCCu6nkUqdNB3t3HcS/vFWyaOm9ids67cM6rfWJ7zwBWldyPnbM= X-Received: by 2002:a37:f50c:: with SMTP id l12mr12670757qkk.175.1557261375070; Tue, 07 May 2019 13:36:15 -0700 (PDT) MIME-Version: 1.0 References: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> In-Reply-To: <41ed59c2-f06c-710b-0e77-3b78add85ca3@FreeBSD.org> From: Warner Losh Date: Tue, 7 May 2019 14:36:03 -0600 Message-ID: Subject: Re: Deprecating crypto algorithms in the kernel To: John Baldwin Cc: "freebsd-arch@freebsd.org" X-Rspamd-Queue-Id: B106773A18 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.95 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.95)[-0.952,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 20:36:17 -0000 [[ trimmed ]] On Mon, May 6, 2019 at 7:14 PM John Baldwin wrote: > commit 18e69bec6ee11ca2c7e89752ddab97bb8f776c7b > Author: John Baldwin > Date: Mon May 6 17:54:33 2019 -0700 > > Add additional warnings to /dev/crypto for deprecated algorithms. > > If these algorithms are removed from geli(4) then there will no longer > be > any in-kernel consumers: > - 3DES > - Blowfish > - MD5-HMAC > This freaked me out when I saw it, since I have GELI volumes going back a about a decade. However, checking into it showed no cause for concern. The default was changed in this commit: pjd | Thu Sep 23 11:58:36 2010 +0000 | r213070 Add support for AES-XTS. This will be the default now. All my GELI volumes are AES-XTS (though some pre-date this change, I may have converted somehow along the way). Camilla support was added in 2007, and that's not on the chopping block, but wasn't made the default. So all GELI volumes created in the last 8 years aren't affected (plus or minus for time to get into a release) and even older ones likely are still supported. So I expect the practical impact of this to be minimal. Warner